headscale
headscale copied to clipboard
juanfont
Headscale logs in user A with user B's auth key
Bug description
Logging in a node with a preauthkey logs in as the previous user that was logged in on the same node, i.e. after performing the following three steps on the same node:
- Login with user A's key
- Logout A
- Login with user B's key
the result is that user A is logged in even though user B's key is used. See full terminal session with the steps to reproduce below. I noticed this with release 0.22.3 when changing the user for some nodes and although the new key was used the same old user was still logged in. The MWE below is with v0.23.0-alpha7.
Environment
- OS: Ubuntu 22.04
- Headscale version: v0.23.0-alpha7
- Tailscale version: 1.64.0
To Reproduce
Install headscale on a clean machine (i.e. no existing config or database)
$ sudo apt install ./headscale_0.23.0-alpha7_linux_amd64.deb
[...]
$ sudo systemctl enable headscale
$ sudo systemctl start headscale
Create users foo and bar with associated keys:
$ sudo headscale users create foo
$ sudo headscale users create bar
$ sudo headscale preauthkeys create --user foo --reusable
73c546e371611141ef442e7aeaff918734708124072d530f
$ sudo headscale preauthkeys create --user bar --reusable
6b00073a57c0828e2cb5dcb4c64e2eef6de0972507f6478c
Login using foo's key works as expected:
$ sudo tailscale up --reset --login-server=http://localhost:8080 --auth-key=73c546e371611141ef442e7aeaff918734708124072d530f
$ tailscale status
100.64.0.1 myhost foo linux -
$ sudo headscale nodes list
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired
1 | myhost | myhost | [Rl+ED] | [YHvFJ] | foo | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-04-17 14:09:32 | 0001-01-01 00:00:00 | online | no
Logout foo and login with bar's key:
$ sudo tailscale logout
$ sudo tailscale up --reset --login-server=http://localhost:8080 --auth-key=6b00073a57c0828e2cb5dcb4c64e2eef6de0972507f6478c
Even though the key belongs to bar we are logged in as foo according to both client and server:
$ tailscale status
100.64.0.1 myhost foo linux -
$ sudo headscale nodes list
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired
1 | myhost | myhost | [Rl+ED] | [UgilM] | foo | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-04-17 14:10:17 | 0001-01-01 00:00:00 | online | no
Both keys are marked as used:
$ sudo headscale preauthkeys list -u foo
ID | Key | Reusable | Ephemeral | Used | Expiration | Created | Tags
1 | 73c546e371611141ef442e7aeaff918734708124072d530f | true | false | true | 2024-04-17 15:07:54 | 2024-04-17 14:07:54 |
$ sudo headscale preauthkeys list -u bar
ID | Key | Reusable | Ephemeral | Used | Expiration | Created | Tags
2 | 6b00073a57c0828e2cb5dcb4c64e2eef6de0972507f6478c | true | false | true | 2024-04-17 15:07:58 | 2024-04-17 14:07:58 |
Logs and attachments
- ACL configuration: N/A
- Headscale configuration: Default
/etc/headscale/config.ymlinstalled with .deb.
